cess permissive=1 [ 15.397027][ T30] audit: type=1400 audit(1779080452.718:63): avc: denied { siginh } for pid=223 comm="sh" scontext=system_u:system_r:sshd_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 19.459606][ T273] scp (273) used greatest stack depth: 20480 bytes left Warning: Permanently added '10.128.0.217' (ED25519) to the list of known hosts. 2026/05/18 05:01:04 parsed 1 programs [ 27.511827][ T30] audit: type=1400 audit(1779080464.888:64): avc: denied { node_bind } for pid=293 comm="syz-execprog" saddr=::1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=1 [ 27.532914][ T30] audit: type=1400 audit(1779080464.888:65): avc: denied { module_request } for pid=293 comm="syz-execprog" kmod="net-pf-2-proto-262-type-1" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 [ 28.214337][ T30] audit: type=1400 audit(1779080465.588:66): avc: denied { mounton } for pid=299 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=2024 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 28.215390][ T299] cgroup: Unknown subsys name 'net' [ 28.237341][ T30] audit: type=1400 audit(1779080465.588:67): avc: denied { mount } for pid=299 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 28.264850][ T30] audit: type=1400 audit(1779080465.618:68): avc: denied { unmount } for pid=299 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 28.265003][ T299] cgroup: Unknown subsys name 'devices' [ 28.376671][ T299] cgroup: Unknown subsys name 'hugetlb' [ 28.382277][ T299] cgroup: Unknown subsys name 'rlimit' [ 28.523504][ T30] audit: type=1400 audit(1779080465.898:69): avc: denied { setattr } for pid=299 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=254 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 28.547150][ T30] audit: type=1400 audit(1779080465.898:70): avc: denied { create } for pid=299 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 28.552944][ T303] SELinux: Context root:object_r:swapfile_t is not valid (left unmapped). [ 28.567961][ T30] audit: type=1400 audit(1779080465.898:71): avc: denied { write } for pid=299 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 28.596543][ T30] audit: type=1400 audit(1779080465.898:72): avc: denied { read } for pid=299 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 Setting up swapspace version 1, size = 127995904 bytes [ 28.616880][ T30] audit: type=1400 audit(1779080465.908:73): avc: denied { mounton } for pid=299 comm="syz-executor" path="/proc/sys/fs/binfmt_misc" dev="binfmt_misc" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:binfmt_misc_fs_t tclass=dir permissive=1 [ 28.645610][ T299] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k [ 29.108341][ T305] request_module fs-gadgetfs succeeded, but still no fs? [ 29.229834][ T314] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.236988][ T314] bridge0: port 1(bridge_slave_0) entered disabled state [ 29.244379][ T314] device bridge_slave_0 entered promiscuous mode [ 29.251649][ T314] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.258696][ T314] bridge0: port 2(bridge_slave_1) entered disabled state [ 29.266327][ T314] device bridge_slave_1 entered promiscuous mode [ 29.301381][ T314] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.308679][ T314] bridge0: port 2(bridge_slave_1) entered forwarding state [ 29.315988][ T314] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.323125][ T314] bridge0: port 1(bridge_slave_0) entered forwarding state [ 29.341170][ T315] bridge0: port 1(bridge_slave_0) entered disabled state [ 29.348481][ T315] bridge0: port 2(bridge_slave_1) entered disabled state [ 29.356024][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 29.363550][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 29.372709][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 29.381010][ T315] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.394450][ T315] bridge0: port 1(bridge_slave_0) entered forwarding state [ 29.404771][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 29.412998][ T315] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.420073][ T315] bridge0: port 2(bridge_slave_1) entered forwarding state [ 29.432660][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 29.442273][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 29.455424][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 29.467994][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 29.476142][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 29.483639][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 29.491923][ T314] device veth0_vlan entered promiscuous mode [ 29.501120][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 29.511804][ T314] device veth1_macvtap entered promiscuous mode [ 29.520949][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 29.531070][ T315] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 30.156128][ T45] device bridge_slave_1 left promiscuous mode [ 30.162599][ T45] bridge0: port 2(bridge_slave_1) entered disabled state [ 30.170598][ T45] device bridge_slave_0 left promiscuous mode [ 30.177004][ T45] bridge0: port 1(bridge_slave_0) entered disabled state [ 30.185720][ T45] device veth1_macvtap left promiscuous mode [ 30.191758][ T45] device veth0_vlan left promiscuous mode 2026/05/18 05:01:07 executed programs: 0 [ 30.359221][ T367] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.366399][ T367] bridge0: port 1(bridge_slave_0) entered disabled state [ 30.373688][ T367] device bridge_slave_0 entered promiscuous mode [ 30.380854][ T367] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.388129][ T367] bridge0: port 2(bridge_slave_1) entered disabled state [ 30.395706][ T367] device bridge_slave_1 entered promiscuous mode [ 30.430847][ T367] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.437996][ T367] bridge0: port 2(bridge_slave_1) entered forwarding state [ 30.445287][ T367] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.452313][ T367] bridge0: port 1(bridge_slave_0) entered forwarding state [ 30.469495][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 30.477505][ T10] bridge0: port 1(bridge_slave_0) entered disabled state [ 30.484898][ T10] bridge0: port 2(bridge_slave_1) entered disabled state [ 30.493904][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 30.502254][ T10] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.509703][ T10] bridge0: port 1(bridge_slave_0) entered forwarding state [ 30.526103][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 30.534904][ T10] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.541987][ T10] bridge0: port 2(bridge_slave_1) entered forwarding state [ 30.549476][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 30.558251][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 30.572780][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 30.588966][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 30.597439][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 30.605003][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 30.613291][ T367] device veth0_vlan entered promiscuous mode [ 30.623348][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 30.632537][ T367] device veth1_macvtap entered promiscuous mode [ 30.641180][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 30.652893][ T10] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 30.682901][ T372] loop2: detected capacity change from 0 to 2048 [ 30.726561][ T372] EXT4-fs (loop2): mounted filesystem without journal. Opts: init_itable,acl,mb_optimize_scan=0x0000000000000001,,errors=continue. Quota mode: none. [ 30.752361][ T372] ================================================================== [ 30.760460][ T372] BUG: KASAN: use-after-free in ext4_listxattr+0x4a6/0xc50 [ 30.767657][ T372] Read of size 4 at addr ffff88812f387044 by task syz.2.17/372 [ 30.775193][ T372] [ 30.777503][ T372] CPU: 1 PID: 372 Comm: syz.2.17 Not tainted syzkaller #0 [ 30.784614][ T372] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/18/2026 [ 30.794764][ T372] Call Trace: [ 30.798053][ T372] [ 30.800997][ T372] __dump_stack+0x21/0x30 [ 30.805357][ T372] dump_stack_lvl+0x110/0x170 [ 30.810033][ T372] ? show_regs_print_info+0x20/0x20 [ 30.815232][ T372] ? load_image+0x3e0/0x3e0 [ 30.819908][ T372] print_address_description+0x7f/0x2c0 [ 30.825451][ T372] ? ext4_listxattr+0x4a6/0xc50 [ 30.830389][ T372] kasan_report+0xf1/0x140 [ 30.834808][ T372] ? ext4_listxattr+0x4a6/0xc50 [ 30.839663][ T372] __asan_report_load4_noabort+0x14/0x20 [ 30.845299][ T372] ext4_listxattr+0x4a6/0xc50 [ 30.850063][ T372] ? ____kasan_slab_free+0x130/0x160 [ 30.855396][ T372] ? ext4_xattr_get+0x820/0x820 [ 30.860259][ T372] ? user_path_at_empty+0x161/0x1c0 [ 30.865459][ T372] ? security_inode_listxattr+0xc9/0x110 [ 30.871089][ T372] listxattr+0x294/0x300 [ 30.875385][ T372] ? ext4_xattr_get+0x820/0x820 [ 30.880413][ T372] path_listxattr+0xe1/0x1b0 [ 30.885002][ T372] ? getxattr+0x410/0x410 [ 30.889356][ T372] ? debug_smp_processor_id+0x17/0x20 [ 30.894910][ T372] __x64_sys_listxattr+0x80/0x90 [ 30.899874][ T372] x64_sys_call+0xd7/0x9a0 [ 30.904380][ T372] do_syscall_64+0x4c/0xa0 [ 30.908796][ T372] ? clear_bhb_loop+0x50/0xa0 [ 30.913562][ T372] ? clear_bhb_loop+0x50/0xa0 [ 30.918238][ T372] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 30.924235][ T372] RIP: 0033:0x7fa68ffb6e59 [ 30.928656][ T372] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 30.948351][ T372] RSP: 002b:00007ffe1d1f6a78 EFLAGS: 00000246 ORIG_RAX: 00000000000000c2 [ 30.956778][ T372] RAX: ffffffffffffffda RBX: 00007fa69022ffa0 RCX: 00007fa68ffb6e59 [ 30.964837][ T372] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00002000000004c0 [ 30.972805][ T372] RBP: 00007fa69004cd6f R08: 0000000000000000 R09: 0000000000000000 [ 30.980774][ T372] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 30.988827][ T372] R13: 00007fa69022ffac R14: 00007fa69022ffa0 R15: 00007fa69022ffa0 [ 30.996799][ T372] [ 30.999814][ T372] [ 31.002132][ T372] The buggy address belongs to the page: [ 31.007842][ T372] page:ffffea0004bce1c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 pfn:0x12f387 [ 31.018162][ T372] flags: 0x4000000000000000(zone=1) [ 31.023428][ T372] raw: 4000000000000000 ffffea0004bce208 ffffea0004bce148 0000000000000000 [ 31.032028][ T372] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 31.040787][ T372] page dumped because: kasan: bad access detected [ 31.047466][ T372] page_owner tracks the page as freed [ 31.052846][ T372] page last allocated via order 0, migratetype Movable, gfp_mask 0x100cca(GFP_HIGHUSER_MOVABLE), pid 372, ts 30750278168, free_ts 30752131537 [ 31.067335][ T372] post_alloc_hook+0x192/0x1b0 [ 31.072288][ T372] prep_new_page+0x1c/0x110 [ 31.076798][ T372] get_page_from_freelist+0x2d3a/0x2dc0 [ 31.082444][ T372] __alloc_pages+0x1a2/0x460 [ 31.087025][ T372] shmem_alloc_and_acct_page+0x4a2/0x8d0 [ 31.092654][ T372] shmem_getpage_gfp+0xfe5/0x2310 [ 31.098114][ T372] shmem_write_begin+0xce/0x1b0 [ 31.102960][ T372] generic_perform_write+0x2b7/0x690 [ 31.108239][ T372] __generic_file_write_iter+0x268/0x480 [ 31.113867][ T372] generic_file_write_iter+0xa9/0x1d0 [ 31.119232][ T372] vfs_write+0x835/0xfd0 [ 31.123565][ T372] ksys_write+0x149/0x250 [ 31.127939][ T372] __x64_sys_write+0x7b/0x90 [ 31.132522][ T372] x64_sys_call+0x8ef/0x9a0 [ 31.137023][ T372] do_syscall_64+0x4c/0xa0 [ 31.141440][ T372] entry_SYSCALL_64_after_hwframe+0x66/0xd0 [ 31.147399][ T372] page last free stack trace: [ 31.152062][ T372] free_unref_page_prepare+0x542/0x550 [ 31.157515][ T372] free_unref_page_list+0x13a/0x9d0 [ 31.162708][ T372] release_pages+0x1006/0x1060 [ 31.167480][ T372] __pagevec_release+0x71/0xe0 [ 31.172243][ T372] shmem_undo_range+0x595/0x1470 [ 31.177180][ T372] shmem_evict_inode+0x21a/0xa10 [ 31.182114][ T372] evict+0x4c9/0x8d0 [ 31.186202][ T372] iput+0x635/0x7c0 [ 31.190120][ T372] dentry_unlink_inode+0x32f/0x3e0 [ 31.195233][ T372] __dentry_kill+0x44f/0x650 [ 31.200005][ T372] dentry_kill+0xc0/0x2a0 [ 31.204341][ T372] dput+0x47/0x90 [ 31.207972][ T372] __fput+0x580/0x8b0 [ 31.211951][ T372] ____fput+0x15/0x20 [ 31.216065][ T372] task_work_run+0x127/0x190 [ 31.220663][ T372] exit_to_user_mode_loop+0xd0/0xe0 [ 31.225964][ T372] [ 31.228285][ T372] Memory state around the buggy address: [ 31.233911][ T372] ffff88812f386f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.241965][ T372] ffff88812f386f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 31.250202][ T372] >ffff88812f387000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.258269][ T372] ^ [ 31.264530][ T372] ffff88812f387080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.272592][ T372] ffff88812f387100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 31.280685][ T372] ================================================================== [ 31.289082][ T372] Disabling lock debugging due to kernel taint